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Abstract 

In a mobile computing environment, it is desir* 
able to protect information about ike movements and 
activiiies of mobile entities from onlookers. Solutions 
to this problem of providing anonymity have to be de- 
veloped with ike constraints of mobile computing envi- 
ronments in mind. In this paper, it is argued thai this 
issue merits investigation. A brief survey of the nature 
of anonymity provided in proposed or existing mobile 
computing environments is presented. It is argued fur- 
ther that achieving limited but practical anonymity us- 
ing standard cryptographic techniques is feasible. Ex- 
ample solutions are presented. 

1 Introduction to the Problem 

In a distributed system where some entities (i.e. 
users and computing devices) are mobile, it is often 
desirable to keep information about their movements, 
locations and activities confidential. The modalities of 
providing such anonymity depend on the underlying 
security infrastructure of the system. Typically, this 
infrastructure is built using a shared key cryptosys- 
tem (SKCS), a public key cryptosystem (PKCS) or a 
hybrid system. 

Anonymity has two aspects [4]. Anonymity of lo- 
cation deals with keeping an entity's movements and 
whereabouts confidential. Anonymity of data ori- 
gin/destination deals with keeping an entity's activ- 
ities confidential. The latter seeks to prevent an on- 
looker from associating the entity with messages sent 
to/from it or with the sessions in which it is a partici- 
pant. Within the context of this paper, anonymity as a 
goal does not imply unrestrained anonymity; it implies 
the protection of relevant information from unintended 
parties. For example, I assume that a server may de- 
mand that a potential client reveal its true identity 
and perhaps provide adequate authentication as a pre- 
requisite to the use of services. 

In traditional computing environments, with fixed 
entities and wireline networks, anonymity of location 



has not been considered a significant issue. In a mo- 
bile computing environment, it assumes greater im- 
portance. It is likely to be an important security prob- 
lem to solve before mobile computing gains wide ac- 
ceptance. Anonymity is especially desirable when an 
entity travels outside of its *home domain.'^ In spite 
of that, it has not been considered a basic requirement 
in designing protocols for mobile computing environ- 
ments (e.g. the IETF mobile-IP effort [12] has not yet 
addressed this issue). Like every other aspect of secu- 
rity, provision of anonymity is tightly coupled with the 
architecture of the rest of the system. For instance, 
providing anonymity of network layer identity wiU be 
of little use if the routing protocol uses re-direction: 
an onlooker who has access to a router elsewhere on 
the system can determine the whereabouts of a mobile 
entity by trying to send a message to it. Therefore, the 
problem of providing anonymity should be considered 
during the design stage of building mobile computing 
environments. 

There are philosophical motivations for providing 
anonymity as well. An entity that chooses to protect 
its location and activities from unintended third par- 
ties must have the mechanisms available to do so even 
if openness and full disclosure is a common policy. Be- 
sides, the principle of least information is a good rule 
to live by in designing security systems. 

The rest of this document describes some proposed 
solutions to the anonymity problem and makes sugges- 
tions for improving them. The basic theme behind the 
suggestions is that effective anonymity can be achieved 
by making a limited disclosure of information. 



*A domain consists of entities that fall within a common 
administrative control. 
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2 Solutions 



2.1 Shared Key Cryptosystems 

In a distributed system with a security infrastruc- 
ture based on a SKCS, an entity (the *client') authen- 
ticates itself to another entity (the * server') by demon- 
strating the possession of a secret key shared between 
them. To do this, the client has to first announce its 
(claimed) identity in the clear. This makes it hard to 
provide anonymity of location. 

An intuitive solution is to use the notion of nick- 
names, Molva et. al. [11] suggest that a mobile entity 
could use a traveling alias when it travels in foreign 
domains. Only the mobile entity and its home domain 
will know the mapping between the traveling alias Mt 
and the real identity M, They go on to suggest that 
Mt be changed **at regular intervals; perhaps as of- 
ten as passwords or PINs." However, in the absence 
of a protocol to change traveling aliases over an inse- 
cure channel} entities can change traveling aliases only 
when they return to their home domain. Such travel- 
ing aliases with fairly long lifetimes may be problem- 
atic in certain circumstances. For example^ as men- 
tioned before, the mobile entity may be called upon to 
reveal (and even- prove) its real identity M before be- 
ing granted certain services in foreign domains. With 
time, the set of entities that know the mapping be- 
tween Mt and M will grow. Further, an onlooker will 
be able to use a long lived alias Mt to link the various 
activities of M for the period during which the alias 
remains in effect. 

An alternative is to use short-lived aliases [8]. 
Aliases are changed by mutual agreement between the 
mobile entity and its home domain server. This im- 
pUes that the mobile and the home domain stay syn- 
chronized. If synchronization is lost, a sub-protocol 
is necessary for re-synchronization. Achieving re- 
synchronization securely is a challenge. In [8] the mo- 
bile entity may be required to send its identity in the 
clear in order to achieve resynchionizaiion. This, as 
observed in the same document, constitutes a "breach 
in the provision of the service." 



Loss of synchronization is likely to be rare. In ad- 
dition, the home domain is likely to have significant 
computing resources at its disposal. Therefore, in the 
event of loss of synchronization, I suggest that it may 
be reasonable to expect the mobile M to simply send 
a message to H encrypted with Khm- H can then 
search through its database of shared secret keys un- 
til it finds otic that can extract the message. If the 
number of entities in H^s jurisdiction renders this an 
expensive operation, then I suggest that H can divide 
the principals into groups of manageable sizes, each 
with a unique group identifier. When synchroniza- 
tion is lost, M can send an encrypted message along 
with its group identifier. This way, a reduced level of 
anonymity can be provided by making a limited dis- 
closure of information. 

Preserving anonymity of data origin is similar to 
preserving anonymity of location. Anonymity of data 
destination is somewhat different when the destina- 
tion is a mobile entity. Carlsen^s solution [4] suggests 
essentially (see below for a clarification) the following: 
a domain server D that wants to send a message to a 
mobile M currently present in its domain, will multi- 
cast a message {A/, Ks}kpm to all the mobile entities 
currently present in the domain. Each mobile will at- 
tempt to decrypt every such multicast message. Only 
M will be able to recover the message and the session 
key K, which can be used to secure the subsequent 
session. Carlsen argues that in a portable (voice) 
communication system, such a computing load on mo- 
bile entities is reasonable assuming 3 calls per hour. 
The arguments may not be applicable in a data com- 
munication system where the frequency of messages 
to a mobile entity can be potentially much higher. 
Carlsen *s model actually consists of various ports (or 
base stations in more common parlance). Each port 
serves a number of mobile entities that happen to be 
inside its region. Thus, it is a port which attempts 
to send a message to a mobile M without revealing 
M^s identity to an onlooker. The description here is 
conceptually similar to Carlsen*s solution. 

2,2 Public Key Cryptosystems 

Public key cryptosystems can provide location and 
data origin anonymity in a natural way. The mobile 
M can use the domain server D^s public key to 
encrypt messages to it. Within an administrative do- 
main, each M can be required to know the public key 
Kjf of its home domain server. However, when M 
wanders into a different domain R, it cannot be ex- 
pected to know the public key, Kji. It has to iden- 
tify itself first so that R can determine how to mutu- 
ally authenticate M. The decrypt-on-the-fly solution 



Notation 

Xj^ - A message X encrypted/sealed by a key K, 

KjiB - A secret key shared between parties B. 

Ka% - Public and private key pair of -A. 

Na ' A nonce created by A. 

M - Mobile entity, 

R - Remote domain M is visiting. 

H - Af 's home domain. 

D • M^s current domain. {H or some R) 
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by Carlsen [4] to provide anonymity of data destina- 
tion (as described in the previous section) will be pro- 
hibitively expensive in the case of a PKCS. 

Some researchers [7] [9] have discouraged the use of 
a PKCS to build authentication protocols for environ- 
nnents with mobile entities. The rationale for this rec- 
ommendation is that the computational complexity of 
known PKCSs aie beyond the limited resources avail- 
able to mobile entities. Even if this argument is valid 
for a specific environment, it is likely to be a tempo- 
rary limitation. What is more relevant is the asymme- 
try in available resources between mobile entities and 
their stationary counterparts. Beller et. al. observe 
[2] that it is feasible to design practical authentication 
mechanisms using PKCSs keeping this asymmetry in 
mind. 

2.3 A Hybrid Solution 

Complete anonymity may be hard to achieve. But 
it might also not be an absolute requirement. The 
earlier notion of limited disclosure can again be used 
to achieve practical anonymity. For instance, it might 
be acceptable to reveal that the visiting mobile entity 
is from domain H (or a suitably large super-domain 
of H)t without revealing its exact identity. A hybrid 
protocol can provide such limited anonymity without 
being too complicated. In the rest of this section I de- 
scribe an example protocol for authenticating a mobile 
entity using the above notion of limited disclosure. 

Consider the following model; the system is par- 
titioned into domains. The authentication server in 
domain H shares a secret key with every entity in 
the domain, ^'s public key is known to every entity 
in its domain. Each pair of domains H and R have 
(or using an inter-domain key distribution protocol, 
can dynamically arrange to have) a shared key K}{r? 
The remote server R will provide services to the visit- 
ing mobile M only if (a) M^s true identity is revealed 
to it and (h) the authenticity of the claimed identity 
is adequately demonstrated. Finally, all network links 
are considered to be insecure channels in which an in- 
truder can observe, modify or destroy data. The goal 
is to achieve satisfactory mutual authentication be- 
tween M and R while minimizing the set of entities 
that can infei the piesence oi M in R by watching the 
trafRc. 

The authentication protocol works as follows: 
When a mobile M shows up in a remote domain 
Ry it begins the registration process by identifying 

^Designing b scalable key distribution mechanism is another 
security problem that ha« been made more urgent by the advent 
of mobile computing. While there have been proposals to solve 
this problem by imposing a hierarchy of trust, such a hierarchy 
is not acceptable in all situations. This remains an open issue. 



its home domain H and presenting its credentials 
encrypted with the public key of H , I assume that 
M can compute the key Kmr which is to be used 
for the mutual authentication. I elaborate on the 
computation of Kj^^i below. The first message is sent 
from the M to i2 as follows: 

m\: M^R: CredMR, H, {M, R, NuU^n 
Where, 

CredMR = {M,R,H,{Tm}k^h}k» 

Tm is either a time stamp (which will imply 
the need for loosely synchronized clocks) or some 
indicator of freshness (e.g. a nonce that was handed 
to M the last time it authenticated successfully to 
H). In this description, I will assume that Tm is the 
current timestamp. R cannot verify the credentials. 
It can however find and mutually authenticate H and 
pass the credentials to it. The second message is from 

to ^ as follows: 

M2i R=>H : {R, CredMR, NR^K^n . R 

H can verify the veracity and timeliness of the 
message from M . If the verification succeeds, H has 
to send the necessary information back to complete 
mutual authentication between M and R. The 
exact nature of this information depends on the 
assumptions made. For example, if Tm is a nonce 
and not a timestamp, H has to generate a new nonce 
to be sent back to M so that it can be used in the 
next protocol run. H also needs to inform R (and 
perhaps M) of the key Kmr that is to be used to 
secure the channel between M and i2. H can pick a 
random key Kmr to be used by M and R, Ox Kmr 
can be derived from other information that is unique 
to a given protocol run. For example, Kmr can be a 
one-way hash function h{KMHi R^Tm)- In this case, 
M already possesses enough information to compute 
Kmr when it initiates the protocol. I use the latter. 
This is why I stated that M can compute Kmr 
and use it to encrypt the second part of the mes- 
sage Ml. The third message is from to it as follows: 

M3: II => R: TicknR 

Where, 

TickHR = M, Kmr. NR}K„n 

R can now know the true identity of M. It can 
also extract the key Kmr using which it can extract 
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the second pait of message Ml. It can use these 
to complete the mutual authentication with M as 
follows: 

M4: iZ => M : {N'j,, Nm. M, R}k^^ 

M can use the already computed Kmr to extract 
this message. It can verify that this response is 
timely by checking for the presence of its nonce Nf^ 
inside. It can then respond to the challenge by demon- 
strating to R that it was able to extract the nonce TV^. 

Uhx M^R: {M,R,N*j^}k^^ 

Several variations to this example protocol are pos- 
sible. For example, in message Af5, R can allocate a 
temporary identifier to Af as in [11] to be used in sub- 
sequent messages from and to M while it is in R. The 
same i^Af ii is expected to be used for mutual authen- 
tication between M and R for subsequent connection 
attempts for the entire duration of ilf *s stay in R, But 
R ox M can force a re-authentication involving H at 
any time, should they feel the need to do so. 

This protocol provides limited anonymity since an 
onlooker can only know that an entity from // visited 
72 but cannot determine the exact identity of the en- 
tity. It is scalable in that it can provide anonymity to 
an arbitrary level of granularity: instead of specifying 
H y M could have identified some parent domain H 
of H and used Kfj* to encode its identity relative to 
H . While H shares no secret with M and therefore 
cannot verify the authenticity directly, it can form a 
trusted path to H and pass along the credentials. This 
protocol also takes the asymmetry of computing power 
into account: the mobile entities transfer the burden of 
verifying authenticity to their home domains. Even if 
the inter-domain key distribution protocol was based 
on a PKCS, the expensive task of verifying a chain of 
certificates provided by R will fall on H and not on M . 
There is only one public key operation (encryption us- 
ing if *s public key) that M has to perform. In general, 
the public key operations of a PKCS are less expen- 
sive than the private key operations. M has to store 
a small, finite number of keys in its permanent stor- 
age(e.g. Kmh ^h)- also needs to store K/^ji 
(or enough information to re-compute Kmr) for the 
duration of its stay in R. 

A correctness proof of this protocol using the BAN 
logic [3] appears in [1]. However, the proof only es- 
tablishes that the authentication protocol is correct. 
In future work, I hope to investigate how the analy- 
sis techniques can be used to draw formal conclusions 



about the preservation of anonymity. 

3 Related Work 

A referee pointed me to the work done by David 
Chaum. Chaum and others have done extensive 
work on unconditionally anonymous protocok to im- 
plement, among other things, the digital equivalent 
of cash. The basic theme of security (for providing 
and/or using services and products) without identi- 
fication is expounded by Chaum in [6]. By requir- 
ing that the security of a transaction not be depen- 
dent on establishing the identities of participants to 
one another, it is possible to design protocols that 
achieve complete unconditional anonymity. Uncondi- 
tional anonymity also opens the possibility of "perfect 
crime" (See [13], page 123, for a reference). Chaum 
uses the phrase "limited anonymity" in [5] to denote 
the anonymity provided by a special set of protocols. 
These protocols, like the unconditional anonymity 
protocols, preserve the anonymity of participants from 
onlookers and from each other. However, if necessary 
(for example, by a court warrant), the anonymity of a 
transaction can be undone at a later time. 

In this paper, I assume that the legitimate par- 
ties involved in a transaction can demand to know 
the real identities of the other parties. The concern 
here is to protect the identities of certain parties in- 
volved in the transaction from other onlookers who are 
not legitimate parties to the transaction. By "limited 
anonymity" I mean that some information about the 
identity of a participant is leaked to an eavesdropping 
third party. 

The ideas presented here are intuitive. Similar ideas 
have been used in different contexts. In [10], Maxem- 
chuk et. al. describe various protocols for provid- 
ing anonymity using a building block called "Double 
Locked Box Protocol." Using this protocol, an entity 
A can send a message to another entity B via an in- 
termediary /. A starts by sealing the identity of B in 
a box that only B's computer can open. This box is 
placed inside another box, along with the identity of 
B^s computer and sealed so that only the intermediary 
I can open the outer box. The box is then handed to 
A^s computer. j4's computer cannot see what is inside 
but knows that it needs to be passed to /. / can get no 
information about the sender or recipient except the 
identities of their computers. B^s computer, which re- 
ceives the inner box from / knows nothing about the 
sender. As is evident, the basic idea is that by dis- 
closing a limited amount of information in the clear, 
significant anonymity can be obtained. 
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4 Conclusion 

Anonymity has not been a major issue in tradi- 
tional distributed systems like- the Internet. But the 
advent of mobile computing has provided strong mo- 
tivations to address this problem. Providing complete 
anonymity is often hard, infeasible oi undesirable. 
This document has made suggestions that can help 
provide limited but practical anonymity by using lim- 
ited disclosure of information. Provision of anonymity, 
and security issues in general, must be taken into ac- 
count while mobile computing environments are being 
designed. 
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Abstract 

It is expected that in the near future, tens of niillions of users 
will have access to distributed information systems through 
wireless connections. The technical characteristics of the 
wireless medium and the resulting mobility of both data re- 
sources and data consumers raise new challenging questions 
regarding the development of information systems appropri- 
ate for mobile environments. In this paper, we report on the 
development of such a system. First, we describe the gen- 
eral architecture of the information system and the main 
considerations of our design. Then, based on these con- 
siderations, we present our system support for maintaining 
the consistency of replicated data and for providing transac- 
tion schemas that account for the frequent but predictable 
disconnections, the mobility, and the vulnerability of the 
wireless environment. 

Keywords; New Applications, Information Systems, Mo- 
bile Computing, Transaction Management, Consistency. 

1 Introduction 

In the recent past, technical advances in the development 
of portable computers and the rapidly expanding cordless 
technology have provided the basis for accessing information 
systems through wireless connections. Today, when users 
move, unplug their computer from some local area network, 
transport it, and plug it back to the local area network at 
their destination. Wireless technology provides users with 
the abUity to retain their network connection even while 
moving. This new computing paradigm is called mobile or 
nomadic computing. Mobile computing can be viewed as 
adding a new dimension to the broader vision of universal 
access to information that allows the mobility of data con- 
sumers and data resources. 

Until recently, infrastructure research pertaining to mo- 
bile computing has mostly focused on networking and oper- 
ating systems [18, 8, 17, 25, 4, 23]. Research in networking 
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and communications includes new addressing and routing 
schemas, support for efficient multicasting and broadcast- 
ing, data compression, and relocation transparency. Re- 
search in operating system addresses security issues, file 
systems that support disconnected operation, and caching 
techniques. However, the issues introduced go beyond those 
areas and directly affect information management systems 
[3, 15, 20], Mobile computing introduces new challenging 
problems concerning resource management, information ac- 
quisition [16], and data distribution [13]. 

In this paper, we report on the design of an information 
system for a mobile environment. The goal of this paper is 
twofold. First, we give a general overview of the organization 
of the system and of the important concerns of our design. 
Second, we focus on our system support for consistency and 
transactions and show how our schema is in compliance with 
the general architecture and design concerns. 

The structure of this paper is as follows. In Section 2, we 
introduce the physical architecture, and identify the charac- 
teristics of both the wireless medium and the mobile hosts. 
In Section 3, we define the operation modes of a mobile 
host, present the general object-based architecture of the 
information system, and introduce the main considerations 
of the design. The following two sections focus on consis- 
tency and transaction management. Section 4 describes orir 
schema for maintaining the consistency of replicated data. 
The novelty of this schema is the existence of two types 
of operations (loose and strict) that allows users to spec- 
ify the required degree of consistency of their input data. 
The schema takes into consideration the modes of operation 
and the peculiarities of the mobile environment. Section 5 
discusses the structure of a mobile computation. We argue 
that fiat transactions are inadequate for modeling interac- 
tions in a mobile environment and we propose appropriate 
extensions that account for mobility and recovery. In Sec- 
tion 6, we report briefly on the status of our system. We 
conclude in Section 7 by summarizing the main results of 
our work. 

2 The Characteristics of the Mobile Environment 

Distributed systems that support mobility are physically 
structured as shown in Figure 1 [15]. The architecture con- 
sists of two distinct types of hosts: mobile and fixed hosts. 
Some of the fixed hosts, called base stations ot mobile sup- 
port stations^ are augmented with a wireless interface to 
communicate with mobile hosts. The geographical area cov- 
ered by a base station is called a cell. Each mobile host can 
directly communicate with one base station, the one cover- 
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ing the geographical area in which the mobile host moves. 
The process during which a mobile host enters a new cell 
is called hand-off. To accommodate smooth hand-off, cells 
usually overlap. 



Wireless radio cell 

>' MoWto 



Wireless LAN cell 




Wireless radio ceil 



Figure 1: Mobile System Architecture 



2.1 The Wireless Medium 

The networking infrastructure (also called Personal Commu- 
nication Network (PCN)) is expected to include [9, 15, 3]: 

• cdlular or packet radio modems (e.g., Ericson GE's 
Mobidem), which are characterized by high costs, large 
range coverage, and relatively small bandwidth; 

• satellite services (e.^,, Motorola's Iridiuni), which pro- 
vide wide coverage, but are very expensive, usually 
receive-only and of very low bandwidth; and 

• wireless LANs (traditional LANs extended with, a wire- 
less interface, e.g., NCR WaveLAN, Motorola's AL- 
TAIR, Proxims Range LAN and Telesystem's ARLAN), 
which provide connectivity with low cost within a very 
small geographical area (at a range of few kilometers). 

Wliile the growth in physical network bandwidth has 
been tremendous (in current technology Ethernet provides 
10Mbps, FDD! 100 Mbps and ATM 155 Mbps), products for 
wireless communication achieve only 2Mbps for radio com- 
munication, and 9-14 kbps for cellular telephony [9], The 
typical bandwidth of wireless LANs ranges from 250 bps to 
2Mbps and it is expected to increase to 10Mbps, Since the 
bandwidth is divided between the users sharing a shell, the 
deliverable bandwidth per user will be even lower. Thus, 
it is safe to assume that bandwidth will continue to be a 
scarce resource. Furthermore, an additional reason that 
makes bandwidth consumption a major concern of mobile 
computing designs, is that data transmission over the air is 
monetarily expensive [12], 

In comparison with non-mobile environments, disconnec- 
tions are much more frequent. Furthermore, the wireless 
medium is characterized by much greater variation in net- 
work bandwidth than traditional designs, leading to various 
degrees of disconnections depending on the available band- 
width and noise of the communication channel [9, 14]. Cer- 
tain disconnections are considered foreseeable^ sincQ they can 



be detected by changes in the signal strength, by predict- 
ing the battery's lifetime, or by utilizing knowledge of the 
bandwidth distribution [3, 14]. 
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Table 1 : Typical Values of Mobile Hosts 



2.2 Mobile Hosts 

Mobile hosts, regardless of future tecliiiology advances, will 
have limited computing power, memory and screen size as 
a result of their small size and weight. Some typical values 
are shown in Table 1 [9]. Mobile hosts range from small 
palmtops (e.g., Apple Newton) or specialized data entry de- 
vices (like the ones used by UPS) to tabletop computers with 
wireless interfaces (e.g., AT&T EO). Mobile hosts have lim- 
ited battery capacity, two or three hours under normal use, 
which is expected to increase only 20% over the next 10 
years. Due to this fact, energy preservation is an important 
consideration. Moreover, mobile hosts are more suscepti- 
ble to loss, destruction and theft than static hosts. Table 2 
summarizes the characteristics of the wireless medium and 
of the mobile hosts. 



characteristics of the wireless medium 



characterLslics of mobile hosts 



low bandwidth 
frequent disconnections 
high bandwidth variability 
predictable disconnections 
monetarily expensive 
broadcast is physically 
supportco in a cell 



small size 
small screen 
limited battery life 
susceptible to theft, 
and accidenu 



Table 2: Summary of the Characteristics 



3 System Overview 

In this section we provide an overview of an information 
system for a mobile environment. First, we define the modes 
of operation, then we describe the general architecture, and 
finally, we cpnclude with two important considerations in 
the design of the system. 

3.1 Operation Modes 

While in a nonmobile distributed system a host operates 
in one of two modes regarding its connection to the rest of 
the network (either connected to it or totally disconnected 
from it) in a mobile environment there are more modes of 
operation. We model the different modes of operation of a 
mobile host using the state diagram shown in Figure 2. 

The degree of connection is related to the availability 
of bandwidth. Since total and partial disconnections are 
very frequent, they should not be treated as failures. On 
the contrary, a mobile host should be capable of operating 
even under low or no connection with the fixed network. A 
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mobile host operates in a partly disconnected mode when the 
communication through the wireless network is weak. 

In addition to the modes related to the type of connection 
with the fixed network, a mobile host may switch to the doze 
mode for preserving energy. While in this mode, the clock 
speed is reduced and no user computation is performed. The 
mobile host returns to normal operation upon receipt of any 
message. 



. / '« Hand- off 

Hand-off ] / 




• Figure 2: Operation Modes of a Mobile Host 

Since most of the transitions between modes are predict* 
able, protocols can be designed to prepare the system for a 
transition, 

• A disconnection protocol is executed before the mo- 
bile host is physically detached from the fixed network. 
The protocol should ensure that enough information is 
locally available to the mobile host for its autonomous 
operation during disconnection. It should also notify 
any interested parties for the forecoming disconnec- 
tion, 

• A partial' disconnection protocol prepares the mobile 
host for operation in a mode where all communication 
with the fixed network should be as restricted as pos- 
sible. Selective caching can be used for caching data, 
whose presence in the host will minimize future net- 
work use, 

• Recovery protocols re-establish the connection with the 
fixed network and resume normal operation. 

• Hand' off protocols refer to crossing the boundaries of 
a cell. State information pertaining to the mobile host 
should be transferred to the base station of the new 
ceU. 

Part of these protocols is handled by low-level system op- 
erations. However, the modes are not necessarily completely 
transparent to the applications. Support by the application 



(in our case by the information management system) can 
lead to performance gains. For example, information about 
the type of application can be used to design caching tech- 
niques or limit network access. 

In this paper, we focus on how system support for trans- 
actions and consistency maintenance can take into account 
the modes of operation to increase performance and avail- 
ability. Specifically, in Section 4, we present a replication 
controller, which adjusts with the type of connection. In 
Section 5, we introduce the concept of transaction migra- 
tion to handle hand-ofTs. 

3.2 The Architecture of the Information System 

Users of mobile hosts will have access to a variety of infor- 
mation resources, which will be located in both mobile and 
static hosts. An architecture for such systems must take 
into account the following facts: 

• Although, some of the information resources will be 
provided by information systems espedaUy tailored for 
such use, many of them will be provided by pre-existing 
applications that were built without taking into ac- 
count the possibility of their future access through 
wireless connections. Rather than rebuilding the ap- 
plications, superimposing upon them appropriate in- 
terfaces is a more realistic approach. 

• An intrinsic characteristic of these information resour- 
ces is their heterogeneity. Heterogeneity is the in- 
evitable result of an expected increase in the scale of 
distributed systems with the introduction of mobile 
hosts. Furthermore, the use of wireless connections 
results in users entering new cells and possibly hetero- 
geneous environment during a single session, 

• The architecture must support extensibility and porta- 
bility. Compliance with evolving standards such as 
CORBA [11] and ODP [24] is a step towards this di- 
rection. 

Because of the above considerations, an object-based ar- 
chitecture seems to be appropriate to serve as the architec- 
ture of a mobile information system. A Distributed Object 
Management System (DOMS) consists of a number of dis- 
tributed hosts and clients [19]. Each host supports one or 
more information systems. Together, the hosts constitute 
the system's information resources. Special Object Servers 
or Object Managers are responsible for building appropriate 
interfaces so that the system's resources appear as objects. 
Clients request operations by sending messages to objects. 
These messages are handled by object servers which direct 
them to the appropriate hosts. 

Object-based architectures are suitable for the following 
reasons: 

• Special Mobile-Object Servers can be built that will 
offer appropriate methods for accessing data from mo- 
bile hosts. These methods will account for the wireless 
of the medium and the fact that the location of a client 
is a frequently changing data, see Figure 3. 

• Object-based architectures hide the heterogeneity of 
the environment, since the response to a message de- 
pends only on the interface and not on the internal 
implementation of the object or the method. 

• Most proposals for standards are based on the dis- 
tributed object paradigm. 



373 



Mobile Host (Client) 

mobile-access{0 2) 



Fixed Host(aicnt) 



V 



static-access(Oj) 



Mobile-Object Server 




\ 




' Interface 




^3 interface 















(Mobile or Fixed) Host 



(Mobile or Rxed) Host 



Figure 3: Object-based Architecture, objects Oi correspond 
to resources stored in static and mobile hosts 



The distributed object-based architecture provides the 
high-level architecture of the distributed heterogeneous in- 
formation system. Internally, each information system that 
participates in the object-based architecture may support 
its own data model. What would be an appropriate internal 
data model for a local mobile database is not clear yet, but 
it should support graphical interfaces and take into account 
the inherent heterogeneity of the mobile environment [2]. 

Location Databases. In addition to the servers that %vill 
provide wireless access to general information resources, the 
system should maintain servers that offer access to informa- 
tion systems that contain location-related information. We 
assume at least two such databases, one per user that would 
include the user's home address and other user-related in- 
formation and one per base station that would include in- 
formation about all hosts under its cell. Location databases 
are: 

• fast changing, 

• geographical, 

• distributed and replicated over many sites to support 
efficient access, 

• imprecise, since the overhead for keeping them up-to- 
date may be overwhelming. 

Data stored in location databases may participate in queries. 
This results in queries that are: 

• of different complexity in terms of location constraints, 

• geographical and moreover dependent on the location 
of the user (e.g. find the nearest restaurant), 

• real-time, 

• imprecise, 

• dependent on the user's direction of move 

Query issues involving location data are discussed in [16]. 
Iii Section 4, we discuss. issues regarding the consistency of 
such data. 



3.3 Two Important Considerations 

Two issues of particular interest in designing information 
systems for mobile environments are to determine the role 
of a mobile host in a distributed computation and to per- 
sonalize the computation. We discuss them further. 

The Role of a Mobile Host. There is no agreement yet 
on the role of a mobile host in a distributed environment. 
The possibilities range from that of a dumb terminal with 
no autonomy to that of a relatively indepetulent conipoaent. 
with enough memory and computing power to perform part 
of the distributed computation locally. Each approach has 
both advantages and disadvantages. Performing part of the 
computation on a mobile host: 

• costs in terras of power consumption, 

• complicates data replication and integrity preserva- 
tion, 

• adds to the search cost of locating the mobile hosts 
arid the data that they produce and consume. 

On the other hand, it 

• allows the autonomous operation of a mobile host dur- 
ing partial and total disconnections, 

• limits bandwidth use, 

• saves the energy cost for the transmission of data to 
and from the fixed network. 

In our design, we adopt the approach that part of the 
computation will be executed in a mobile host, since allow- 
ing a mobile host to operate autonomously is crucial consid- 
ering the frequency of disconnections. But still, since mobile 
hosts are susceptible to failures and accidents, part of the 
computation must be reported to the fixed network. In Sec- 
tion 5, we introduce the notion of transaction proxies that 
provides transaction support for backing-up the computa- 
tion in the fixed network. 



Usftr's Profile. Utilizing information about users gains 
increasing importance as information systems scale in size. 
We assume that this information is stored in a user's profile. 
Information about users is very important to data naviga- 
tion since it can be used to select the information that is 
of interest to a particular user. For instance, users may be 
informed for the release of the latest album of their favored 
artist. Specifically in mobile environments, the user's pro- 
file may also include information about the user's mobility 
pattern, for instance the fact that each day he commutes 
to his office. The user's profile can be part of the location 
database of the user. 

In mobile systems research the user's profile has been 
widely used, for example to determine which data to cache 
before disconnections [18], or to optimize queries about lo- 
cation [16]. In our schema, we propose utilizing information 
stored in a user's profile to define consistency clusters (Sec- 
tion 4) and to simulate mobility (Section 6). 

4 Consistency of Replicated Data 

Communication through the wireless network is very expen- 
sive both monetarily and in terms of bandwidth consump- 
tion. As a consequence, performing operations locally in 
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a mobile host can lead to performance gains and increase 
availability during total and partial disconnections. On the 
other hand, maintaining full consistency among data saved 
in fixed and mobile hosts imposes unbearable overheads in 
mobile environments [3, 14, 20]. We propose a more flexi- 
ble model. The formal definition of the model, its scope and 
the associated correctness criteria are presented in [21], The 
presentation of the model in this section aims at demonstrat- 
ing how the operation modes and the other general consid- 
erations are taken into account in designing the replication 
controller of our information system. 

4.1 Clustering 

We partition the data items of a mobile database into clus- 
ters. All replicas in a cluster are synchronized, while replicas 
at different clusters may vary by some appropriately defined 
degree. In that sense, a cluster is the unit of consistency. 
The degree of inconsistency may vary based on the avail- 
ability of network bandwidth by allowing small deviation 
among the copies in cases of higher bandwidth availability 
and higher deviation in cases of low bandwidth availabil- 
ity. The cluster configuration is dynamic rather than static. 
When clusters are merged the values of all copies of a data 
item are reconciled. 

Defining Degrees. There are many alternative ways of 
defining degrees [22]. The decree may express the divergence 
from the value of the primary copy [1]. In this case, the 
allowable degree may be bounded by limiting the number 
of versions, by setting a maximum value on the allowable 
deviation, or by limiting the number of transactions that 
can operate on inconsistent values, Alternatively, we can 
define the degree as the number of data items or the number 
of data copies per data item that can diverge. 

Defining Clusters. One possible way of defining a clus- 
ter is by grouping together data residing in the same or 
neighboring hosts. For instance, data stored in hosts that 
are partially or totally disconnected from the fixed network 
may be considered as forming a cluster (Figure 4). In this 
casie, by taking advantage of the predictable nature of dis- 
connections, clusters pf data may be created or merged upon 
a forecoming disconnection or connection of the associated 
mobile host. Furthermore, clusters may be defined based on 
the type of data. A characteristic example of such data is 
the data representing the /ocafton of mobile hosts. Since this 
type of data are fast-changing, the maintenance of their full 
consistency could cause unbearable overheads. In addition, 
users may explicitly define clusters based on the semantics 
of their data or applications. Finally, information stored in a 
user's profile mz.y also be utilized to determine clusters. For 
example, data that are most frequently accessed by a user 
or data that are to a great extent private to a user can be 
considered as belonging to the same cluster independently 
of their location, 

4.2 Handling Loose Consistency 

To maximize local processing and limit network accesses, 
^ye allow users to interact with locally (within a cluster) 
available data by introducing two new kinds of operations, 
loose reads and loose writca. Thcac operations allow users 
to operate on loosely consistent data when the lack of strict 
consistency does not affect the semantics of their transac- 
tions. Allowing users to operate on local data is especially 
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Figure 4: A possible cluster configuration, where clustering 
is based on location 

important during total or partial disconnection since those 
data are then the only data that are accessible or affordable 
to access. We call the standard read and write operations 
strict read and strict write operations to differentiate them 
from the loose operations. 

Specifically^ a loose read (i/i2[a]) reads the value writ- 
ten by the last loose or strict write operation on a locally 
available copy, that is on a copy in its cluster. A loose write 
operation ;(i?y[a]) writes some local copies and is not per- 
manent unless it is finally committed after cluster merging. 
A strict read operation (5ii[a]) reads the value written by 
the last strict write operation on a copy located in any of the 
clusters. Finally, the value written by a strict write oper- 
ation ('S'Wfa]) becomes permanent after commitment. Our 
method can be implemented as a 2-version method, where 
local transaction managers maintain two copies of a data 
item, one that is updated by strict writes and one that is 
updated by both strict and loose writes. The first is read 
by strict read operations and the second by loose read op- 
erations; 

Two Types of Basic Transactions. We distinguish two 
types of transactions: 

(a) transactions that consist only of loose read and loose 
write operations and are called hose transactions; and 

(b) transactions that consist only of strict read and strict 
write operations and are called strict transactions. 

Loose transactions are locally committed in their asso- 
ciated clusters. Updates performed by locally committed 
transactions are revealed only to other loose transactions 
in the same cluster. These changes are revealed to strict 
transactions only after merging, when local transactions be- 
come globally committed. Before being globally committed, 
a loose transaction may be undone even after it has been 
locally committed. 

A loose transaction is a transaction that may read loosely 
consistent data and whose writes may be undone any time 
before merging. Strict transactions have the usual seman- 
tics. Loose transactions are suitable for applications that 
do not require exact values of data such as gathering infor- 
mation for statistical purposes. Allowing updates in loose 
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will update an inventory database to reflect the fact that an 
item has been sold. Consumers will use their mobile host to 
book flights, buy tickets or do banking transactions. 

An important issne is what part and how targe a part 
of a transaction will be executed on a mobile host. This is 
related to the role of a mobile host in a mobile distributed 
environment. Operations on a mobile host may minimize 
network access, and optimize response time. On the other 
hand, they cost in terms of local resource consumption (es- 
pecially battery). But the decisive factor for answering this 
question is frequent disconnections. To allow the operation 
of a mobile host during disconnections part of the computa- 
tion must be executed locally. 



Table 3: Conflict relation, a "x" entry indicates that the 
operations for the given row and column conflict. Row en- 
tries correspond to operations of transaction T( and column 
entries to operations of a transaction Tj, where i ^ j 

transactions adds functionality. These updates are finally 
committed only if they do not conflict with the operations 
of a strict transaction. Thus, loose updates are especially 
useful in two cases: (a) for handling private or seldomly 
accessed data for which conflicts are rare, and (b) for trans- 
actions for which compensating actions are possible. 

Users or application developers are able to specify the 
loose or strict reqidrements of their transactions through a 
high-level interface. Then, the operations of each transac- 
tion are automatically translated into loose or strict opera- 
tions according to the given speciflcations. 

Correctness. Two operations of the same transaction con- 
flict if they both access the same data copy and at least one 
of them is a write. Operations of two difierent transactions 
that arc executed before cluster merging conflict' as shown in 
Table 3. Upon merging of clusters we adopt a strictly syn- 
tactic approach to establishing full consistency. We undo all 
loose transactions whose loose writes conflict with a strict 
transaction. We have proven that undoing a loose transac- 
tion can result in undoing only loose transactions in the same 
cluster [21]. SeriaJizability- based criteria for the correctness 
of schedules before and after merging are formally defined 
in [21]. In [21], we have also presented graph-based tests for 
the serializability of the corresponding schedules and com- 
pare our work with other weak consistency proposals in the 
database and operating system coirimunities. 

5 Transactions in a Mobile Environment 

Loose and strict transactions are generic transactions that 
can be considered part of a general mobile transaction that 
models the interaction of a user with a mobile distributed 
system. Generally speaking, a mobile transaction is a dis- 
tributed transaction T, where some parts of the computation 
are executed on mobUe and some parts on nonmobile hosts. 
The model for such a transaction that involves data stored 
in both the flxed and the wireless network has not emerged 
yet. 

A large number of transactions in a mobile environment 
is expected to be read-only transactions, where users will 
query large amount of data. Still, some applications such as 
inventory control, banking applications and travel reserva- 
tions will require updates. For instance, a traveling salesman 



The Characteristics of Mobile Transactions. We iden- 
tify the following as the characteristics of a mobile transac- 
tion: 

• Mobile transactions are transactions that involve the 
wireless network and may be executed in both mobile 
and nonmobile hosts. 

• Using the wireless medium has the following conse- 
quences. Transactions tend to be: 

1. monetarily expensive; 

2. long lived, because of long network delays; 

3, error-prone, because of frequent disconnections 
but also because mobile hosts are more prone to 
accidents than fixed hosts; and 

4, session-based. For some technologies, such as cel- 
lular modems, there is a high start-up charge for 
each communication. Cost-effective transaction 
management may adopt the approach of support- 
ing few long-bved session -based transactions in- 
stead of many short-hved transactions. 

• Mobility Tes\]\\.s in transactions with tlie following char- 
acteristics: 

1. TVansactions access heterogeneous information sys- 
tems. 

2. Transactions access (possibly imprecise) location 
data. 

3. Transactions may involve data that are dynami- 
cally relocated. 



Modeling Mobile Transactions. Mobile transactions are 
long-running, error-prone and heterogeneous. As a conse- 
quence, modehng mobile transactions as ACID transactions 
is very restrictive. ACID transactions have limited expres- 
sive power and offer no way of modeling computations with 
a complex control structure. Furthermore, ACID transac- 
tions do not support, part.ia.1 commitment or abortion of a 
transaction, or partial recovery. Finally, there is no way of 
"suspending" a transaction to survive a disconnection. 

It seems that an open-nested model [10] is more appropri- 
ate for modeling mobile transactions. In that model, each 
transaction consists of a number of sub transactions with a 
specified set of dependencies. The set of dependencies varies 
bajsed on the application and it can be customized. In [7], 
an axiomatic definition of a transaction model for mobile 
transactions is presented. Our approach is diff"erent in that, 
instead of defining a powerful, general transaction model, 



376 



we identify the generic characteristics that this model must 
support to be appropriate for a mobile environment. 

Specifically, to deal with the particularities of the wire- 
less medium, we have introduced loose transactions. Loose 
transactions support disconnected operation and minimize 
bandwidth use. Moreover, they are capable of modeling op- 
erations on imprecise data, such as location data. In this 
section we investigate further on the structure of mobile 
transactions. We present two generic techniques: 

• To deal with the mobility of the environment we in- 
troduce the concept of transaction migration. 

• To deal with the vulnerability of the mobile hosts we 
introduce the concept of a transaction proxy. 

5.1 Transaction Migration 

A mobile host may enter a new cell while in operation. In 
that case, it may be necessary to migrate part of the compu- 
tation that was executed in one fixed host to another fixed 
host. One motivation for migration is improvement in per- 
formance. By moving the computation close to the mobile 
host, the communication cost is minimized. Transaction mi- 
gration (relocation) can be thought of as the dual of data 
relocation. In addition, transaction migration may lead to 
a better load balance among base stations. Furthermore, a 
base station may not be willing to support computation ini- 
tiated by users that are not any more in its cell, for instance 
for security reasons. In that case, transactions submitted to 
the old base station and partially executed there must be 
transferred to the new base station. 

Let Ti be a transaction that was initially submitted at 
site i and then was migrated to site j. We use the notation 
Ti-»» for the part executed at site i and Ti— j for the part 
executed at site j. T,-.t cannot be committed at site % but 
it may conditionally release some of the local resources it 
holds. Ti~*j inherits state information from 1;—,. That in- 
formation depends on the consistency control method used. 
It may include timestamps, requested and granted locks, or 
log files. 

5.2 Transaction Proxies 

To deal with the fact that mobile hosts are more susceptible 
to theft accidents and frequent disconnections, we must re- 
port part of the computation that is performed in a mobile 
host to the fixed network. We model that using the concept 
of transaction proxies. For each transaction T^ executed at 
a mobile host i, we define a dual transaction PTj, called 
proxy, that will be executed on host j, where j is the base 
station of i. 

A proxy transaction may be considered as a subtrans- 
action of the original transaction. Thus, any time a sub- 
transaction is submitted to a mobile host its proxy transac- 
tion is submitted to its base station. The proxy transaction 
includes only the updates of the original transaction. Al- 
ternatively, proxy transactions may be executed off-line. In 
that sense, proxy transactions correspond to taking periodic 
back-ups of the computation which is performed on a mobile 
host. We are investigating necessary criteria for scheduling 
proxies at fixed hosts in a sound and efficient way. 

6 Status Report 

We are currently developing an information system on top 
of ORAID [5]. ORAID is an object-oriented system built 



on top of RAID [6], a distributed database system that has 
been proven successful in supporting experiments in com- 
munication, adaptability, and transaction processing. We 
are modifying the communication library routines [26] to 
simulate the wireless communication. Mobility is captured 
by connecting our simulated mobile station with different 
base stations. We assign to each host that simulates a mo- 
bile host, a fixed host which serves as its base station. The 
mobile host can then directly communicate only with its 
assigned base station. The assignment of base stations to 
mobile hosts is dynamic and is driven by the mobility pat- 
tern as specified in each user's profile. 

In addition to the traditional performance measurements 
mobile computing introduces new performance concerns, in* 
eluding: 

• energy preservation (battery is a limited resource); 

• prudent use of bandwidth (bandwidth in mobile envi- 
ronment is a very scarce and expensive resource); and 

• the degree of autonomy during weak or total discon- 
nections (since disconnections are frequent, mobile co- 
mputers should be able to operate even while discon- 
nected). 

We intend to provide system support for loose transac- 
tions, migration and proxies and study the performance of 
these mechanisms. 

7 Summary 

Wireless communications offer the exciting possibility of ac- 
cessing information independent of location and movement. 
This possibility raises new challenges to the design of in- 
formation systems. In this paper we have reported on the 
design of such a system. The contribution of this paper is 
twofold. First we have: 

• defmed the operation modes of a mobile host; 

• proposed a general object-based architecture for infor- 
mation systems appropriate for mobile environments; 
and 

• identified the main concerns in designing mobile infor- 
mation systems. 

Second, we have shown how these general principles can 
be used to provide system support for transactions in a mo- 
bile environment. Specifically, we have introduced: 

• loose transactions to deal with the frequent, predict- 
able and of various degrees disconnections, 

• transaction migration to model mobility, and 

• transaction proxies to handle recovery. 

Finally, we have briefly reported on the status of our 
system and discussed performance criteria for testing the 
proposed techniques. 
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^ ABSTRACT 

It is expected that in the near future, tens of nnlllions of users will have access to distributed 
infornnation systems through wireless connections. The technical characteristics of the wireless 
medium and the resulting mobility of both data resources and data consumers raise new challenging 
questions regarding the development of information systems appropriate for mobile environments. In 
this paper, we report on the development of such a system. First, we describe the general 
architecture of the information system and the main considerations of our design. Then, based on 
these considerations, we present our system support for maintaining the consistency of replicated 
data and for providing transaction schemas that account for the frequent but predictable 
disconnections, the mobility, and the vulnerability of the wireless environment. 
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ART-UNIT: 271 

PRIMARY-EXAMINER: Black; Thomas G. 
ASSISTANT-EX7VMINER: Homere; Jean R. 



ABSTRACT: 

A device and method redirect query requests to restrict access to private 
information of a domain in a domain name system. The device includes a switching 
device that redirects query requests for the private information from within the 
domain to a device within the domain. The private information includes IP addresses 
and domain names. All the devices in the domain may be modified to direct all query 
requests to the switching device or the switching device may be incorporated into a 
firewall of the domain. 



20 Claims, 13 Drawing figures 
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RELATED-ACC-NO: 1998-180890 

ABSTRACTED-PUB-NG: EP 820176A 
BASIC-ABSTRACT: 

The subsystem includes a filtering device that receives information (520) from a 
first device of a first domain destined to a second device of a second domain. The 
filtering device generates filtered information (522) by removing private 
information of the second domain from the information and forwarding the filtered 
information to the second device of the second domain. 

Preferably the private information of the second domain includes at least one of a 
domain name and an IP address of a device of the second domain. Preferably the 
information is sent by the first device in response to a query request by the 
second device. The information includes additional information that was not 
requested by the second device and which is filtered out before delivery to the 
second device. 

USE - E.g. for restricting access to private information in domain name systems. 

ADVANTAGE - Removes any possibility for device within domain to receive private 
information from device external to domain, 

ABSTRACTED-PUB-NO: US 5805820A 
EQUIVALENT-ABSTRACTS : 

The subsystem includes a filtering device that receives information (520) from a 
first device of a first domain destined to a second device of a second domain. The 
filtering device generates filtered information (522) by removing private 
information of the second domain from the information and forwarding the filtered 
information to the second device of the second domain. 

Preferably the private information of the second domain includes at least one of a 
domain name and an IP address of a device of the second domain. Preferably the 
information is sent by the first device in response to a query request by the 
second device. The information includes additional information that was not 
requested by the second device and which is filtered out before delivery to the 
second device. 

USE - E.g. for restricting access to private information in domain name systems. 

ADVANTAGE - Removes any possibility for device within domain to receive private 
information from device external to domain. 

US 5958052A 
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The subsystem includes a filtering device that receives information (520) from a 
first device of a first domain destined to a second device of a second domain. The 
filtering device generates filtered information (522) by removing private 
information of the second domain from the information and forwarding the filtered 
information to the second device of the second domain. 

Preferably the private information of the second domain includes at least one of a 
domain name and an IP address of a device of the second domain. Preferably the 
information is sent by the first device in response to a query request by the 
second device. The information includes additional information that was not 
requested by the second device and which is filtered out before delivery to the 
second device. 

USE - E.g. for restricting access to private information in domain name systems. 

ADVANTAGE - Removes any possibility for device within domain to receive private 
information from device external to domain. 
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on a network 
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ART-UNIT: 237 

PRIMARY-EXAMINER: Black; Thomas G. 
ASSISTANT-EXAMINER: Goby; Frantz 
ATTY-AGENT-FIRM: Kirkpatrick & Lockhart LLP 



ABSTRACT: 

A method of constructing a catalog of files stored on a network comprised of a 
plurality of interconnected computers each having a plurality of files stored 
thereon. The method is accomplished by establishing a queue containing at least one 
address representative of a file stored on one of the interconnected computers, 
ranking each address in the queue according to the popularity of the file presented 
by the address, downloading the file corresponding to the address in the queue 
having the highest ranking, processing the downloaded file to generate certain 
information about the downloaded file for the catalog, adding to the queue any 
addresses found in the downloaded file, and determining the popularity of file 
represented by the addresses in the queue according to how often a file is 
referenced by a computer other than the computer on which the file is stored. 

38 Claims, 13 Drawing figures 
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for download and file information generation for catalog 
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DESCRIPTOR 



INT-CL (IPC) : G06F 17/30 



RELATED-ACC-NO: 2003-566758 



ABSTRACTED-PUB-NO: US 5748954A 
BASIC-ABSTRACT: 

The catalog construction method involves establishing a queue containing at least 
one address representative of a file stored on one of the interconnected computers. 
Each address in the queue is ranked according to a heuristic. The file 
corresponding to the address in the queue having the highest ranking is downloaded. 
The downloaded file is processed to generate certain information about the 
downloaded file for the catalog. Any addresses found in the downloaded file are 
added to the queue. 



This process is repeated. Address ranking includes ranking each address according 
to the popularity of the file represented by that address. The downloaded file 
processing includes storing link text, and merging the link text to generate 
information about files referenced in the downloaded files for the catalog. 

ADVANTAGE - Provides accurate file search results. Processes information in 
meaningful manner. 

ABSTRACTED-PUB-NO: US 5748954A 
EQUIVALENT-ABSTRACTS : 
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ART-UNIT: 267 

PRIMARY-EXAMINER: Mullen; Thomas . 
ASSISTANT-EXAMINER: Wong; Albert K. 
ATTY-AGENT-FIRM: Rader Fishman & Grauer PLLC 

ABSTRACT : 

The present invention relates to an improved method and apparatus for an 
interactive, computerized catalog system in which a customer can selectively access 
video and audio catalog data from a computerized catalog memory that permits a 
customer to peruse an entire catalog of products or services or select specific 
portions from specific catalogs or services and if desired place an order which is 
processed electronically and from which customer profile marketing data is 
selectively generated. 
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ABSTRACTED-PUB-NO: CA 2176297A 
BASIC-ABSTRACT: 

The interactive computerised catalogue process comprises storing digitised graphic 
catalogue data in an addressable computer system memory. A menu index of catalogue 
products and services comprising the catalog data available is generated for 
selective viewing at any user's telephone terminal screen. 



A communication link is established between a user's telephone terminal and the 
computer system memory. The menu of catalogue products and services data to a 
user's telephone terminal is transmitted in response to a user's initial request. 
The catalogue data which corresponds to the user's product request signal is 
transmitted from the computer system memory. 



An order processing sequence, including a financial payment authorisation process, 
is initiated to permit a user to enter, from a user telephone terminal, a product 
order to be processed and delivered in response to the user's order. 



A user is enabled when placing an order to elect to be included in or to be 
excluded from a customer profile marketing data file created from completed 
catalogue product order transactions. 

ADVANTAGE - Efficient product and service selectivity to prospective customers and 
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which selectively generate market profile data of users and customers. 

ABSTRACTED-PUB-NO: US 5721832A 
EQUIVALENT-ABSTRACTS : 

The interactive computerised catalogue process comprises storing digitised graphic 
catalogue data in an addressable computer system memory. A menu index of catalogue 
products and services comprising the catalog data available is generated for 
selective viewing at any user's telephone terminal screen. 

A communication link is established between a user's telephone terminal and the 
computer system memory. The menu of catalogue products and services data to a 
user's telephone terminal is transmitted in response to a user's initial request. 
The catalogue data which corresponds to the user's product request signal is 
transmitted from the computer system memory. 

An order processing sequence, including a financial payment authorisation process, 
is initiated to permit a user to enter, from a user telephone terminal, a product 
order to be processed and delivered in response to the user's order. 



A user is enabled when placing an order to 
excluded from a customer profile marketing 
catalogue product order transactions. 

ADVANTAGE - Efficient product and service < 
which selectively generate market profile < 

. US 5968110A 



elect to be included in or to be 
data file created from completed 



selectivity to prospective customers and 
data of users and customers. 



The interactive computerised catalogue process comprises storing digitised graphic 
catalogue data in an addressable computer system memory. A menu index of catalogue 
products and services comprising the catalog data available is generated for 
selective viewing at any user's telephone terminal screen. 

A communication link is established between a user's telephone terminal and the 
computer system memory. The menu of catalogue products and services data to a 
user's telephone terminal is transmitted in response to a user's initial request. 
The catalogue data which corresponds to the user's product request signal is 
transmitted from the computer system memory. 

An order processing sequence, including a financial payment authorisation process, 
is initiated to permit a user to enter, from a user telephone terminal, a product 
order to be processed and delivered in response to the user's order. 

A user is enabled when placing an order to elect to be included in or to be 
excluded from a customer profile marketing data file created from completed 
catalogue product order transactions. 

ADVANTAGE - Efficient product and service selectivity to prospective customers and 
which selectively generate market profile data of users and customers. 
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